技术领域Technical Field
本申请实施例涉及网络安全技术领域,尤其涉及一种通信鉴权方法及相关装置、存储介质、计算机程序产品。The embodiments of the present application relate to the field of network security technology, and in particular to a communication authentication method and related devices, storage media, and computer program products.
背景技术Background Art
随着互联网技术快速发展,信息系统的网络安全风险持续增加,威胁挑战日益严峻,密码安全是信息安全的重要基础,可以用于有效保障网络信息系统的数据安全,密码技术是保障网络信息系统的核心技术和重要手段。With the rapid development of Internet technology, the network security risks of information systems continue to increase, and the threat challenges are becoming increasingly severe. Cryptographic security is an important foundation for information security and can be used to effectively protect the data security of network information systems. Cryptographic technology is the core technology and important means to protect network information systems.
目前,通信网络的网络鉴权协议基于128位通信鉴权算法实现,用于完成用户设备中通用用户身份模块(Universal Subscriber Identity Module,USIM)和统一数据管理(Unified Data Management,UDM)之间的鉴权认证和密钥协商,算法的底层算法是AES-128,USIM和UDM之间共享的是128位的密钥。At present, the network authentication protocol of the communication network is implemented based on the 128-bit communication authentication algorithm, which is used to complete the authentication and key negotiation between the Universal Subscriber Identity Module (USIM) and the Unified Data Management (UDM) in the user equipment. The underlying algorithm of the algorithm is AES-128, and the USIM and UDM share a 128-bit key.
然而,随着量子计算技术的发展,传统的密码算法面临着严重的安全威胁。量子计算机具有强大的计算能力,可以大大降低对称密码算法的破解难度,而用户设备的难以提供256位的安全能力,难以计算足熵的密钥,随机性不足,容易被攻击者攻击,通信鉴权的安全性较低。However, with the development of quantum computing technology, traditional cryptographic algorithms are facing serious security threats. Quantum computers have powerful computing power, which can greatly reduce the difficulty of cracking symmetric cryptographic algorithms. However, user devices are difficult to provide 256-bit security capabilities, difficult to calculate keys with sufficient entropy, lack of randomness, and are easily attacked by attackers, resulting in low security of communication authentication.
发明内容Summary of the invention
本申请实施例提供一种通信鉴权方法及相关装置、存储介质、计算机程序产品,针对用户设备中USIM支持128位通信鉴权算法的情况,使用户设备侧和归属网络侧都得到基于PQC_KEM计算中生成的对称加密密钥,用于保护鉴权令牌等信息的安全,提高了通信鉴权的安全性。The embodiments of the present application provide a communication authentication method and related devices, storage media, and computer program products. For the case where the USIM in the user device supports a 128-bit communication authentication algorithm, both the user device side and the home network side obtain a symmetric encryption key generated in the PQC_KEM calculation, which is used to protect the security of information such as the authentication token, thereby improving the security of communication authentication.
本申请实施例的技术方案是这样实现的:The technical solution of the embodiment of the present application is implemented as follows:
本申请实施例提供了一种通信鉴权方法,应用于用户设备UE中的移动设备ME,所述UE还包括通用用户身份模块USIM,所述方法包括:The present application embodiment provides a communication authentication method, which is applied to a mobile equipment ME in a user equipment UE, wherein the UE further includes a universal user identity module USIM, and the method includes:
在所述USIM支持128位通信鉴权算法的情况下,利用基于后量子密码算法的密钥封装机制PQC_KEM加密所述USIM的用户永久标识符SUPI,生成用户隐藏标识符SUCI,并保存所述PQC_KEM计算中生成的对称加密密钥;In the case where the USIM supports a 128-bit communication authentication algorithm, encrypting the user permanent identifier SUPI of the USIM by using a key encapsulation mechanism PQC_KEM based on a post-quantum cryptography algorithm to generate a user hidden identifier SUCI, and saving the symmetric encryption key generated in the PQC_KEM calculation;
将所述SUCI通过相关网元转发至归属网络中的目标网元,以供所述目标网元基于所述SUCI得到所述对称加密密钥,利用所述对称加密密钥对第一鉴权令牌处理后通过相关网元转发至所述ME。The SUCI is forwarded to a target network element in the home network through a relevant network element, so that the target network element obtains the symmetric encryption key based on the SUCI, and the first authentication token is processed by using the symmetric encryption key and then forwarded to the ME through a relevant network element.
在上述方法中,所述将所述SUCI通过相关网元转发至归属网络中的目标网元,包括:In the above method, forwarding the SUCI to a target network element in the home network through a relevant network element includes:
在初始化注册请求时,将所述SUCI通过相关网元转发至所述目标网元。When the registration request is initialized, the SUCI is forwarded to the target network element through the relevant network element.
在上述方法中,所述保存所述PQC_KEM计算中生成的对称加密密钥之后,所述方法还包括:In the above method, after saving the symmetric encryption key generated in the PQC_KEM calculation, the method further includes:
接收所述目标网元生成的随机数和第二鉴权令牌,并利用所述对称加密密钥和所述第二鉴权令牌得到所述第一鉴权令牌;其中,所述第二鉴权令牌由所述第一鉴权令牌经所述对称加密密钥处理生成;Receive a random number and a second authentication token generated by the target network element, and obtain the first authentication token using the symmetric encryption key and the second authentication token; wherein the second authentication token is generated by processing the first authentication token with the symmetric encryption key;
将所述随机数和所述第一鉴权令牌发送至所述USIM,以供所述USIM基于所述第一鉴权令牌进行同步认证,以在同步认证通过后基于所述随机数和所述第一鉴权令牌生成第一加密密钥和第一完整性密钥。The random number and the first authentication token are sent to the USIM, so that the USIM performs synchronous authentication based on the first authentication token, so as to generate a first encryption key and a first integrity key based on the random number and the first authentication token after the synchronous authentication passes.
在上述方法中,还包括:In the above method, it also includes:
在所述USIM同步认证通过的情况下,接收所述USIM发送的所述第一加密密钥和所述第一完整性密钥;When synchronization authentication of the USIM passes, receiving the first encryption key and the first integrity key sent by the USIM;
利用所述对称加密密钥,基于所述第一加密密钥构造第二加密密钥,基于所述第一完整性密钥构造第二完整性密钥;Using the symmetric encryption key, construct a second encryption key based on the first encryption key, and construct a second integrity key based on the first integrity key;
其中,所述第二加密密钥和所述第二完整性密钥用于密钥推衍。The second encryption key and the second integrity key are used for key derivation.
在上述方法中,还包括:In the above method, it also includes:
在所述USIM同步认证不通过的情况下,接收所述USIM发送的第一重同步认证令牌;In the case that the USIM synchronization authentication fails, receiving a first resynchronization authentication token sent by the USIM;
利用所述对称加密密钥对所述第一重同步认证令牌进行处理,生成第二重同步认证令牌;Processing the first resynchronization authentication token using the symmetric encryption key to generate a second resynchronization authentication token;
将所述第二重同步认证令牌通过相关网元转发至所述目标网元。The second resynchronization authentication token is forwarded to the target network element through the relevant network element.
本申请实施例提供了一种通信鉴权方法,应用于归属网络中的目标网元,所述方法包括:The embodiment of the present application provides a communication authentication method, which is applied to a target network element in a home network, and the method includes:
接收用户设备UE中移动设备ME生成的用户隐藏标识符SUCI;所述UE还包括通用用户身份模块USIM,所述USIM支持128位通信鉴权算法,所述SUCI由所述USIM的用户永久标识符SUPI经基于后量子密码算法的密钥封装机制PQC_KEM加密生成;Receiving a hidden user identifier SUCI generated by a mobile device ME in a user equipment UE; the UE further includes a universal user identity module USIM, the USIM supports a 128-bit communication authentication algorithm, and the SUCI is generated by encrypting a user permanent identifier SUPI of the USIM through a key encapsulation mechanism PQC_KEM based on a post-quantum cryptography algorithm;
利用所述PQC_KEM对所述SUCI进行解密,保存所述PQC_KEM计算中生成的对称加密密钥;Decrypting the SUCI using the PQC_KEM and saving the symmetric encryption key generated in the PQC_KEM calculation;
利用所述对称加密密钥对第一鉴权令牌处理后通过相关网元转发至所述ME。The first authentication token is processed using the symmetric encryption key and then forwarded to the ME through the relevant network element.
在上述方法中,所述利用所述对称加密密钥对第一鉴权令牌处理后通过相关网元转发至所述ME,包括:In the above method, the processing of the first authentication token by using the symmetric encryption key and then forwarding it to the ME through the relevant network element includes:
基于所述USIM的128位根鉴权密钥生成第一向量,所述第一向量包含随机数、期望鉴权响应、所述第一鉴权令牌、第一加密密钥和第一完整性密钥;generating a first vector based on a 128-bit root authentication key of the USIM, the first vector comprising a random number, an expected authentication response, the first authentication token, a first encryption key, and a first integrity key;
利用所述对称加密密钥对所述第一鉴权令牌处理,生成第二鉴权令牌;Processing the first authentication token using the symmetric encryption key to generate a second authentication token;
利用所述对称加密密钥,基于所述第一加密密钥构造第二加密密钥,基于所述第一完整性密钥构造第二完整性密钥;所述第二加密密钥和所述第二完整性密钥用于密钥推衍;Using the symmetric encryption key, constructing a second encryption key based on the first encryption key, and constructing a second integrity key based on the first integrity key; the second encryption key and the second integrity key are used for key derivation;
基于所述随机数、所述期望鉴权响应、所述第二鉴权令牌、所述第二加密密钥和所述第二完整性密钥构造鉴权向量;其中,所述鉴权向量包含所述随机数和所述第二鉴权令牌;constructing an authentication vector based on the random number, the expected authentication response, the second authentication token, the second encryption key, and the second integrity key; wherein the authentication vector includes the random number and the second authentication token;
将所述鉴权向量通过相关网元转发,使所述鉴权向量中的所述第二鉴权令牌伴随所述随机数发送至所述ME。The authentication vector is forwarded through a relevant network element, so that the second authentication token in the authentication vector is sent to the ME along with the random number.
在上述方法中,所述保存所述PQC_KEM计算中生成的对称加密密钥之后,所述方法还包括:In the above method, after saving the symmetric encryption key generated in the PQC_KEM calculation, the method further includes:
在接收到所述ME生成的第二重同步认证令牌的情况下,利用所述对称加密密钥和所述第二重同步认证令牌得到第一重同步认证令牌;其中,所述第二重同步认证令牌为所述第一重同步认证令牌经所述对称加密密钥处理生成;Upon receiving the second resynchronization authentication token generated by the ME, obtaining the first resynchronization authentication token using the symmetric encryption key and the second resynchronization authentication token; wherein the second resynchronization authentication token is generated by processing the first resynchronization authentication token with the symmetric encryption key;
验证所述第一重同步认证令牌的合法性,并同步序列号。Verify the legitimacy of the first resynchronization authentication token and synchronize the sequence number.
本申请实施例提供了一种ME,包括:第一处理器、第一存储器和第一通信总线;An embodiment of the present application provides an ME, including: a first processor, a first memory, and a first communication bus;
所述第一通信总线,用于实现所述第一处理器和所述第一存储器之间的通信连接;The first communication bus is used to implement a communication connection between the first processor and the first memory;
所述第一处理器,用于执行所述第一存储器存储的一个或者多个计算机程序,以实现应用于ME的通信鉴权方法。The first processor is used to execute one or more computer programs stored in the first memory to implement a communication authentication method applied to the ME.
本申请实施例提供了一种目标网元,包括:第二处理器、第二存储器和第二通信总线;An embodiment of the present application provides a target network element, including: a second processor, a second memory, and a second communication bus;
所述第二通信总线,用于实现所述第二处理器和所述第二存储器之间的通信连接;The second communication bus is used to realize the communication connection between the second processor and the second memory;
所述第二处理器,用于执行所述第二存储器存储的一个或者多个计算机程序,以实现应用于目标网元的通信鉴权方法。The second processor is used to execute one or more computer programs stored in the second memory to implement a communication authentication method applied to a target network element.
本申请实施例提供了一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现上述通信鉴权方法中的步骤。An embodiment of the present application provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, the steps in the above-mentioned communication authentication method are implemented.
本申请实施例提供了一种计算机程序产品,包括计算机程序,所述计算机程序在被处理器执行时实现上述通信鉴权方法中的步骤。An embodiment of the present application provides a computer program product, including a computer program, which implements the steps in the above-mentioned communication authentication method when executed by a processor.
本申请实施例提供了一种通信鉴权方法及相关装置、存储介质、计算机程序产品,应用于ME的方法包括:在USIM支持128位通信鉴权算法的情况下,利用PQC_KEM加密USIM的用户永久标识符SUPI,生成SUCI,并保存PQC_KEM计算中生成的对称加密密钥;将SUCI通过相关网元转发至归属网络中的目标网元,以供目标网元基于SUCI得到对称加密密钥,利用对称加密密钥对第一鉴权令牌处理后通过相关网元转发至ME。本申请实施例提供的技术方案,针对用户设备中USIM支持128位通信鉴权算法的情况,使用户设备侧和归属网络侧得到基于PQC_KEM计算中生成的对称加密密钥,用于保护鉴权令牌等信息的安全,提高了通信鉴权的安全性。The embodiment of the present application provides a communication authentication method and related devices, storage media, and computer program products. The method applied to the ME includes: when the USIM supports a 128-bit communication authentication algorithm, using PQC_KEM to encrypt the USIM's user permanent identifier SUPI, generate SUCI, and save the symmetric encryption key generated in the PQC_KEM calculation; forwarding the SUCI to the target network element in the home network through the relevant network element, so that the target network element can obtain the symmetric encryption key based on the SUCI, and using the symmetric encryption key to process the first authentication token and forward it to the ME through the relevant network element. The technical solution provided by the embodiment of the present application, for the case where the USIM in the user equipment supports a 128-bit communication authentication algorithm, enables the user equipment side and the home network side to obtain the symmetric encryption key generated in the PQC_KEM calculation, which is used to protect the security of information such as the authentication token, thereby improving the security of communication authentication.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1为本申请实施例提供的一种通信鉴权方法的流程示意图一;FIG1 is a flow chart of a communication authentication method according to an embodiment of the present application;
图2为本申请实施例提供的一种通信鉴权方法的流程示意图二;FIG2 is a second flow chart of a communication authentication method provided in an embodiment of the present application;
图3为本申请实施例提供的一种主认证启动和身份标识提交的流程示意图;FIG3 is a schematic diagram of a process of primary authentication initiation and identity submission provided in an embodiment of the present application;
图4为本申请实施例提供的一种主认证流程示意图;FIG4 is a schematic diagram of a primary authentication process provided in an embodiment of the present application;
图5为本申请实施例提供的一种运算过程示意图一;FIG5 is a schematic diagram of a calculation process provided by an embodiment of the present application;
图6为本申请实施例提供的一种运算过程示意图二;FIG6 is a second schematic diagram of a calculation process provided by an embodiment of the present application;
图7为本申请实施例提供的一种认证同步故障恢复的流程示意图;FIG7 is a schematic diagram of a process of authentication synchronization failure recovery provided by an embodiment of the present application;
图8为本申请实施例提供的一种ME的结构示意图一;FIG8 is a structural schematic diagram 1 of an ME provided in an embodiment of the present application;
图9为本申请实施例提供的一种ME的结构示意图二;FIG9 is a second structural diagram of an ME provided in an embodiment of the present application;
图10为本申请实施例提供的一种目标网元的结构示意图一;FIG10 is a schematic diagram of a structure of a target network element provided in an embodiment of the present application;
图11为本申请实施例提供的一种目标网元的结构示意图二。FIG. 11 is a second schematic diagram of the structure of a target network element provided in an embodiment of the present application.
具体实施方式DETAILED DESCRIPTION
为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。In order to make the purpose, technical solution and advantages of the present application more clearly understood, the present application is further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present application and are not used to limit the present application.
下面将通过实施例并结合附图具体地对本申请的技术方案以及本申请的技术方案如何解决上述技术问题进行详细说明。下面的实施例可以相互结合,对于相同或相似的概念或过程可能在某些实施例中不再赘述。The following will specifically describe the technical solution of the present application and how the technical solution of the present application solves the above technical problems through embodiments and in conjunction with the accompanying drawings. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be repeated in some embodiments.
另外,本申请实施例所记载的技术方案之间,在不冲突的情况下,可以任意组合。In addition, the technical solutions described in the embodiments of the present application can be combined arbitrarily without conflict.
本申请实施例中相关名词的解释和说明:Explanation and description of relevant terms in the embodiments of this application:
通用用户身份模块(Universal Subscriber Identity Module,USIM):保存了根鉴权密钥K和标识符等数据。Universal Subscriber Identity Module (USIM): stores data such as the root authentication key K and identifier.
移动设备(Mobile Equipment,ME):与USIM配合完成网络鉴权。Mobile Equipment (ME): cooperates with USIM to complete network authentication.
用户设备(User Equipment,UE):ME和USIM的统称。User Equipment (UE): a general term for ME and USIM.
安全锚点功能(Security Anchor Function,SEAF)网元:访问网络实现对UE的鉴权。Security Anchor Function (SEAF) network element: access network to authenticate UE.
认证服务器功能(Authentication Server Function,AUSF):归属网络实现对UE的鉴权。Authentication Server Function (AUSF): The home network authenticates the UE.
统一数据管理(Unified Data Management,UDM)/认证凭证存储和处理功能(Authentication Credential Repository and Processing Function,ARPF):存储用户的签约信息,核心密钥K等;Unified Data Management (UDM)/Authentication Credential Repository and Processing Function (ARPF): stores user contract information, core key K, etc.
ECIES_KEM(椭圆曲线加密方案Elliptic Curve Integrate Encrypt Scheme):3GPP定义的基于椭圆曲线的密钥封装机制(Key Encapsulation Mechanism,KEM)方案。ECIES_KEM (Elliptic Curve Integrate Encrypt Scheme): 3GPP-defined Key Encapsulation Mechanism (KEM) scheme based on elliptic curves.
基于后量子密码算法的密钥封装机制(Post Quantum Cryptography,PQC_KEM):基于后量子公钥密码技术的KEM方案。Post Quantum Cryptography (PQC_KEM): A KEM scheme based on post-quantum public key cryptography.
密钥封装机制(KEM key encapsulation mechanism):C=KEM_ENC(PK,M),使用公钥PK对M进行加密封装,KEM_ENC是量子安全的密钥封装算法。Key encapsulation mechanism (KEM key encapsulation mechanism): C = KEM_ENC (PK, M), using the public key PK to encrypt and encapsulate M. KEM_ENC is a quantum-safe key encapsulation algorithm.
本申请实施例提供了一种通信鉴权方法,应用于UE中的ME。图1为本申请实施例提供的一种通信鉴权方法的流程示意图一。如图1所示,在本申请的实施例中,应用于ME的通信鉴权方法主要包括以下步骤:The embodiment of the present application provides a communication authentication method, which is applied to the ME in the UE. FIG1 is a flow chart of a communication authentication method provided by the embodiment of the present application. As shown in FIG1, in the embodiment of the present application, the communication authentication method applied to the ME mainly includes the following steps:
S101、在USIM支持128位通信鉴权算法的情况下,利用基于后量子密码算法的密钥封装机制PQC_KEM加密USIM的用户永久标识符SUPI,生成用户隐藏标识符SUCI,并保存PQC_KEM计算中生成的对称加密密钥。S101. When the USIM supports a 128-bit communication authentication algorithm, the USIM user permanent identifier SUPI is encrypted using a key encapsulation mechanism PQC_KEM based on a post-quantum cryptography algorithm to generate a user hidden identifier SUCI, and the symmetric encryption key generated in the PQC_KEM calculation is saved.
在本申请的实施例中,在USIM支持128位通信鉴权算法的情况下,ME利用PQC_KEM加密USIM的用户永久标识符(Subscriber Permanent Identifier,SUPI),生成用户隐藏标识符(Subscription Concealed Identifier,SUCI),并保存PQC_KEM计算中生成的对称加密密钥。In an embodiment of the present application, when the USIM supports a 128-bit communication authentication algorithm, the ME uses PQC_KEM to encrypt the USIM's Subscriber Permanent Identifier (SUPI), generates a Subscription Concealed Identifier (SUCI), and saves the symmetric encryption key generated in the PQC_KEM calculation.
可以理解的是,在本申请的实施例中,ME可以检查USIM是否支持256位通信鉴权算法,如果USIM不支持256位通信鉴权算法,支持128位通信鉴权算法,则利用PQC_KEM加密SUPI得到SUCI,同时秘密保存PQC_KEM计算过程中生成的对称加密密钥,即K_KEM(建议长度至少256bit)。其中,由于ECIES_KEM是基于椭圆曲线实现,无法应对量子攻击,因此可使用PQC_KEM进行加密。It can be understood that in the embodiment of the present application, the ME can check whether the USIM supports the 256-bit communication authentication algorithm. If the USIM does not support the 256-bit communication authentication algorithm but supports the 128-bit communication authentication algorithm, the SUPI is encrypted using PQC_KEM to obtain SUCI, and the symmetric encryption key generated during the PQC_KEM calculation process, i.e., K_KEM (the recommended length is at least 256 bits), is secretly saved. Among them, since ECIES_KEM is based on elliptic curve implementation and cannot cope with quantum attacks, PQC_KEM can be used for encryption.
S102、将SUCI通过相关网元转发至归属网络中的目标网元,以供目标网元基于SUCI得到对称加密密钥,利用对称加密密钥对第一鉴权令牌处理后通过相关网元转发至ME。S102: Forward the SUCI to a target network element in the home network through a related network element, so that the target network element obtains a symmetric encryption key based on the SUCI, processes the first authentication token using the symmetric encryption key, and then forwards it to the ME through a related network element.
在本申请的实施例中,ME在得到SUCI之后,即可通过相关网元将其转发至归属网络中的目标网元。In the embodiment of the present application, after obtaining the SUCI, the ME may forward it to the target network element in the home network through the relevant network element.
在本申请的实施例中,ME将SUCI通过相关网元转发至归属网络中的目标网元,包括:在初始化注册请求时,将SUCI通过相关网元转发至目标网元。In an embodiment of the present application, the ME forwards the SUCI to the target network element in the home network through the relevant network element, including: when initializing the registration request, forwarding the SUCI to the target network element through the relevant network element.
需要说明的是,在本申请的实施例中,目标网元可以是UDM/ARPF,本申请实施例不作限定。It should be noted that in the embodiment of the present application, the target network element may be UDM/ARPF, which is not limited in the embodiment of the present application.
需要说明的是,在本申请的实施例中,第一鉴权令牌为AUTN,ME将SUCI通过相关网元转发至目标网元,基于此,目标网元可以基于SUIC得到对称加密密钥K_KEM,从而可以利用K_KEM对AUTN处理后提供给ME,由于是经过K_KEM处理后进行传输的,即实际上是对AUTN实现了保护,从而提升通信鉴权的安全性。It should be noted that in the embodiment of the present application, the first authentication token is AUTN, and the ME forwards the SUCI to the target network element through the relevant network element. Based on this, the target network element can obtain the symmetric encryption key K_KEM based on SUIC, so that the AUTN can be processed by K_KEM and provided to the ME. Since it is transmitted after being processed by K_KEM, the AUTN is actually protected, thereby improving the security of communication authentication.
在本申请的实施例中,ME保存PQC_KEM计算中生成的对称加密密钥之后,还可以执行以下步骤:接收目标网元生成的随机数和第二鉴权令牌,并利用对称加密密钥和第二鉴权令牌得到第一鉴权令牌;其中,第二鉴权令牌由第一鉴权令牌经对称加密密钥处理生成;将随机数和第一鉴权令牌发送至USIM,以供USIM基于第一鉴权令牌进行同步认证,以在同步认证通过后基于随机数和第一鉴权令牌生成第一加密密钥和第一完整性密钥。In an embodiment of the present application, after the ME saves the symmetric encryption key generated in the PQC_KEM calculation, the following steps may also be performed: receiving a random number and a second authentication token generated by the target network element, and obtaining a first authentication token using the symmetric encryption key and the second authentication token; wherein the second authentication token is generated by processing the first authentication token with the symmetric encryption key; sending the random number and the first authentication token to the USIM for the USIM to perform synchronous authentication based on the first authentication token, so as to generate a first encryption key and a first integrity key based on the random number and the first authentication token after the synchronous authentication is passed.
需要说明的是,在本申请的实施例中,第一鉴权令牌为AUTN,第二鉴权令牌为AUTN*,AUTN*为AUTN经对K_KEM生成,具体的处理方式可以是使用K_KEM对AUTN加密得到AUTN*,也可以通过其他方式得到,例如,AUTN*=AUTN xor K_KEM,本申请实施例不作限定。由于ME保存有K_KEM,基于此,ME可以利用K_KEM和AUTN*得到AUTN。It should be noted that in the embodiment of the present application, the first authentication token is AUTN, the second authentication token is AUTN*, AUTN* is generated by AUTN through K_KEM, and the specific processing method can be to encrypt AUTN with K_KEM to obtain AUTN*, or it can be obtained by other methods, for example, AUTN*=AUTN xor K_KEM, which is not limited in the embodiment of the present application. Since ME saves K_KEM, based on this, ME can use K_KEM and AUTN* to obtain AUTN.
需要说明的是,在本申请的实施例中,ME接收AUTN*时,还可以接收到随机数RAND,ME可以在利用K_KEM和AUTN*得到AUTN之后,将AUTN和RAND一并发送给USIM,供USIM进行同步认证以及同步认证通过后的密钥生成。其中,USIM在基于AUTN同步认证通过之后,基于AUTN和RAND生成的第一加密密钥为CK,第一完整性密钥为IK。It should be noted that in the embodiment of the present application, when the ME receives AUTN*, it can also receive the random number RAND. After obtaining AUTN using K_KEM and AUTN*, the ME can send AUTN and RAND to the USIM for the USIM to perform synchronous authentication and key generation after the synchronous authentication is passed. After the USIM passes the synchronous authentication based on AUTN, the first encryption key generated based on AUTN and RAND is CK, and the first integrity key is IK.
在本申请的实施例中,ME还可以执行以下步骤:在USIM同步认证通过的情况下,接收USIM发送的第一加密密钥和第一完整性密钥;利用对称加密密钥,基于第一加密密钥构造第二加密密钥,基于第一完整性密钥构造第二完整性密钥;其中,第二加密密钥和第二完整性密钥用于密钥推衍。In an embodiment of the present application, the ME may also perform the following steps: when the USIM synchronization authentication is passed, receiving the first encryption key and the first integrity key sent by the USIM; using the symmetric encryption key, constructing the second encryption key based on the first encryption key, and constructing the second integrity key based on the first integrity key; wherein the second encryption key and the second integrity key are used for key derivation.
需要说明的是,在本申请的实施例中,ME可以接收USIM同步认证通过后发送的CK和IK,进一步的,利用K_KEM分别基于CK和IK构造密钥用于密钥推衍。具体的,ME利用K_KEM基于CK构造的第二加密密钥为CK_EXT,CK_EXT=HASH(K_KEM||CK)取低128bit,利用K_KEM基于IK构造的第二完整性密钥为IK_EXT=HASH(K_KEM||IK)取低128bit,当然,上述构造方式仅为一种可选的构造方式,还可以结合实际需求和应用场景采用其他构造方式构造,本申请实施例不作限定。It should be noted that in the embodiment of the present application, the ME can receive the CK and IK sent by the USIM after the synchronous authentication is passed, and further, use K_KEM to construct keys based on CK and IK for key derivation. Specifically, the second encryption key constructed by the ME based on CK using K_KEM is CK_EXT, CK_EXT = HASH (K_KEM || CK) takes the lower 128 bits, and the second integrity key constructed based on IK using K_KEM is IK_EXT = HASH (K_KEM || IK) takes the lower 128 bits. Of course, the above construction method is only an optional construction method, and other construction methods can also be used in combination with actual needs and application scenarios. The embodiment of the present application is not limited.
在本申请的实施例中,ME还可以执行以下步骤:在USIM同步认证不通过的情况下,接收USIM发送的第一重同步认证令牌;利用对称加密密钥对第一重同步认证令牌进行处理,生成第二重同步认证令牌;将第二重同步认证令牌通过相关网元转发至目标网元。In an embodiment of the present application, the ME may also perform the following steps: when the USIM synchronization authentication fails, receiving the first resynchronization authentication token sent by the USIM; processing the first resynchronization authentication token using a symmetric encryption key to generate a second resynchronization authentication token; and forwarding the second resynchronization authentication token to the target network element through the relevant network element.
需要说明的是,在本申请的实施例中,ME可以接收USIM同步认证不通过后发送的第一重同步认证令牌,即AUTS,再利用K_KEM对AUTS进行处理,生成第二重同步认证令牌,即AUTS*,然后指示给目标网元,这样即实现了对AUTS传输的保护,提升安全性。It should be noted that in an embodiment of the present application, the ME can receive the first resynchronization authentication token, namely, AUTS, sent after the USIM synchronization authentication fails, and then use K_KEM to process the AUTS to generate a second resynchronization authentication token, namely, AUTS*, and then indicate it to the target network element, thereby achieving protection for AUTS transmission and improving security.
图2为本申请实施例提供的一种通信鉴权方法的流程示意图二。如图2所示,应用于归属网络中的目标网元的通信鉴权方法主要包括以下步骤:FIG2 is a flow chart of a communication authentication method provided by an embodiment of the present application. As shown in FIG2, the communication authentication method applied to the target network element in the home network mainly includes the following steps:
S201、接收用户设备UE中移动设备ME生成的用户隐藏标识符SUCI;UE还包括通用用户身份模块USIM,USIM支持128位通信鉴权算法,SUCI由USIM的用户永久标识符SUPI经基于后量子密码算法的密钥封装机制PQC_KEM加密生成。S201. Receive a hidden user identifier SUCI generated by a mobile device ME in a user equipment UE; the UE further includes a universal user identity module USIM, the USIM supports a 128-bit communication authentication algorithm, and the SUCI is generated by encrypting a user permanent identifier SUPI of the USIM through a key encapsulation mechanism PQC_KEM based on a post-quantum cryptography algorithm.
在本申请的实施例中,目标网元可以接收ME生成的SUCI,其中,SUCI的解释说明,详见上述ME侧方法中的相关内容,在此不再赘述。In an embodiment of the present application, the target network element may receive the SUCI generated by the ME, wherein the explanation of the SUCI is detailed in the relevant content of the above-mentioned ME side method, which will not be repeated here.
S202、利用PQC_KEM对SUCI进行解密,保存PQC_KEM计算中生成的对称加密密钥。S202. Decrypt SUCI using PQC_KEM and save the symmetric encryption key generated in the PQC_KEM calculation.
在本申请的实施例中,目标网元在得到SUCI之后,即可利用PQC_KEM对SUCI进行解密,在PQC_KEM计算中可以得到对称加密密钥,即K_KEM,从而保存K_KEM用于后续步骤。In an embodiment of the present application, after obtaining SUCI, the target network element can use PQC_KEM to decrypt SUCI, and a symmetric encryption key, namely K_KEM, can be obtained in the PQC_KEM calculation, so that K_KEM is saved for subsequent steps.
S203、利用对称加密密钥对第一鉴权令牌处理后通过相关网元转发至ME。S203: Process the first authentication token using the symmetric encryption key and forward it to the ME through the relevant network element.
在本申请的实施例中,目标网元可以利用K_KEM对第一鉴权令牌,即AUTN处理后通过相关网元转发至ME,从而对AUTN实现保护,提升通信鉴权的安全性。In an embodiment of the present application, the target network element can use K_KEM to process the first authentication token, namely AUTN and forward it to ME through relevant network elements, thereby protecting AUTN and improving the security of communication authentication.
在本申请的实施例中,目标网元利用所述对称加密密钥对第一鉴权令牌处理后通过相关网元转发至ME,包括:基于USIM的128位根鉴权密钥生成第一向量,第一向量包含随机数、期望鉴权响应、第一鉴权令牌、第一加密密钥和第一完整性密钥;利用对称加密密钥对第一鉴权令牌处理,生成第二鉴权令牌;利用对称加密密钥,基于第一加密密钥构造第二加密密钥,基于第一完整性密钥构造第二完整性密钥;第二加密密钥和第二完整性密钥用于密钥推衍;基于随机数、期望鉴权响应、第二鉴权令牌、第二加密密钥和第二完整性密钥构造鉴权向量;其中,鉴权向量包含随机数和第二鉴权令牌;将鉴权向量通过相关网元转发,使鉴权向量中的第二鉴权令牌伴随随机数发送至ME。In an embodiment of the present application, the target network element processes the first authentication token using the symmetric encryption key and then forwards it to the ME through the relevant network element, including: generating a first vector based on the 128-bit root authentication key of the USIM, the first vector including a random number, an expected authentication response, a first authentication token, a first encryption key and a first integrity key; processing the first authentication token using the symmetric encryption key to generate a second authentication token; using the symmetric encryption key to construct a second encryption key based on the first encryption key, and constructing a second integrity key based on the first integrity key; the second encryption key and the second integrity key are used for key derivation; constructing an authentication vector based on a random number, an expected authentication response, a second authentication token, a second encryption key and a second integrity key; wherein the authentication vector includes a random number and a second authentication token; forwarding the authentication vector through the relevant network element so that the second authentication token in the authentication vector is sent to the ME along with the random number.
需要说明的是,在本申请的实施例中,与ME侧方法类似,目标网元同样也可以利用K_KEM基于CK构造CK_EXT,CK_EXT=HASH(K_KEM||CK)取低128bit,利用K_KEM基于IK构造IK_EXT,IK_EXT=HASH(K_KEM||IK)取低128bit,当然,上述构造方式仅为一种可选的构造方式,还可以结合实际需求和应用场景采用其他构造方式构造,本申请实施例不作限定。It should be noted that in the embodiment of the present application, similar to the ME side method, the target network element can also use K_KEM to construct CK_EXT based on CK, CK_EXT = HASH (K_KEM || CK) to take the lower 128 bits, and use K_KEM to construct IK_EXT based on IK, IK_EXT = HASH (K_KEM || IK) to take the lower 128 bits. Of course, the above construction method is only an optional construction method, and other construction methods can also be used in combination with actual needs and application scenarios. The embodiments of the present application are not limited.
需要说明的是,在本申请的实施例中,目标网元可以基于RAND、XRES、AUTN*、CK_EXT、IK_EXT构造鉴权向量,其中,XRES为期望鉴权响应。具体的,在5G认证与密钥协商鉴权场景中,可以是构造5G归属环境鉴权向量(5G HE AV),包含RAND、AUTN*、KAUSF和XRES*,其中,KAUSF=KDF(KAUSF_ID,CK_EXT||IK_EXT),XRES*=KDF(RAND,XRES,CK_EXT||IK_EXT))。It should be noted that in an embodiment of the present application, the target network element can construct an authentication vector based on RAND, XRES, AUTN*, CK_EXT, and IK_EXT, where XRES is the expected authentication response. Specifically, in the 5G authentication and key negotiation authentication scenario, a 5G home environment authentication vector (5G HE AV) can be constructed, including RAND, AUTN*,KAUSF and XRES*, whereKAUSF = KDF(KAUSF_ID ,CK_EXT||IK_EXT), XRES* = KDF(RAND,XRES,CK_EXT||IK_EXT)).
在本申请的实施例中,目标网元保存PQC_KEM计算中生成的对称加密密钥之后,还可以执行以下步骤:在接收到ME生成的第二重同步认证令牌的情况下,利用对称加密密钥解密第二重同步认证令牌得到第一重同步认证令牌;其中,第二重同步认证令牌为第一重同步认证令牌经对称加密密钥处理生成;验证第一重同步认证令牌的合法性,并同步序列号。In an embodiment of the present application, after the target network element saves the symmetric encryption key generated in the PQC_KEM calculation, the following steps can also be performed: when receiving the second resynchronization authentication token generated by the ME, decrypt the second resynchronization authentication token using the symmetric encryption key to obtain the first resynchronization authentication token; wherein the second resynchronization authentication token is generated by processing the first resynchronization authentication token with the symmetric encryption key; verify the legitimacy of the first resynchronization authentication token, and synchronize the serial number.
需要说明的是,在本申请的实施例中,若USIM同步认证不通过,与ME侧方法对应,目标网元可以接收AUTS*,由于AUTS*是利用K_KEM对AUTS进行处理生成的,因此,目标网元可以再利用K_KEM和AUTS*得到AUTS,以进行认证同步故障恢复。It should be noted that in an embodiment of the present application, if the USIM synchronization authentication fails, corresponding to the ME side method, the target network element can receive AUTS*. Since AUTS* is generated by processing AUTS using K_KEM, the target network element can then use K_KEM and AUTS* to obtain AUTS for authentication synchronization failure recovery.
以下结合5G认证与密钥协商鉴权(Authentication and Key Agreement,AKA)场景,主要从主认证启动和身份标识提交流程、主认证流程,以及认证同步故障恢复流程,示例性的说明上述通信鉴权方法中的相关内容。其中,涉及到UE中USIM和ME、归属网络(HomeNetwork,HM)中UDM/ARPF,以及服务网络(Service Network,SN)中SEAF的交互过程。The following is combined with the 5G authentication and key agreement (AKA) scenario, mainly from the main authentication startup and identity submission process, the main authentication process, and the authentication synchronization fault recovery process, to illustrate the relevant contents of the above communication authentication method. Among them, it involves the interaction process between USIM and ME in UE, UDM/ARPF in Home Network (HM), and SEAF in Service Network (SN).
图3为本申请实施例提供的一种主认证启动和身份标识提交的流程示意图。如图3所示,主要包括以下步骤:FIG3 is a schematic diagram of a process of primary authentication initiation and identity submission provided by an embodiment of the present application. As shown in FIG3 , the process mainly includes the following steps:
S1、当网络侧需要ME发送SUCI进行网络鉴权时,ME执行以下步骤:S1. When the network side requires the ME to send SUCI for network authentication, the ME performs the following steps:
(1)检查USIM是否为新卡;(1) Check whether the USIM is a new card;
具体的,ME检查USIM是否为支持MILENAGE-256(256位的通信鉴权算法)的新卡,如果不是,USIM支持MILENAGE-128(128位的通信鉴权算法),则执行(2)和(3);Specifically, the ME checks whether the USIM is a new card that supports MILENAGE-256 (256-bit communication authentication algorithm). If not, and the USIM supports MILENAGE-128 (128-bit communication authentication algorithm), then (2) and (3) are executed.
(2)利用PQC_KEM加密SUPI得到SUCI;(2) Encrypt SUPI using PQC_KEM to obtain SUCI;
(3)保存PQC_KEM计算中生成的K_KEM;(3) Save the K_KEM generated in the PQC_KEM calculation;
其中,ME利用PQC_KEM加密SUPI得到SUCI,同时秘密保存PQC_KEM计算过程中生成的K_KEM(建议长度至少256bit)。由于ECIES_KEM是基于椭圆曲线实现,无法应对量子攻击,因此可采用PQC_KEM来替代。Among them, ME uses PQC_KEM to encrypt SUPI to obtain SUCI, and secretly saves K_KEM generated during the calculation process of PQC_KEM (the recommended length is at least 256 bits). Since ECIES_KEM is based on elliptic curve implementation and cannot cope with quantum attacks, PQC_KEM can be used instead.
S2、ME发送初始化注册请求(Initial Registration Request)给SEAF,其中携带SUCI。S2. ME sends an Initial Registration Request to SEAF, which carries SUCI.
S3、SEAF向UDM/ARPF发送Nudm_Authenticate_Get Request,其中携带SUCI。S3. SEAF sends Nudm_Authenticate_Get Request to UDM/ARPF, which carries SUCI.
S4、UDM/ARPF通过PQC_KEM解密出SUPI,并秘密保存PQC_KEM计算过程中生成的K_KEM。S4. UDM/ARPF decrypts SUPI through PQC_KEM and secretly saves K_KEM generated during the PQC_KEM calculation process.
图4为本申请实施例提供的一种主认证流程示意图。如图4所示,主要包括以下步骤:FIG4 is a schematic diagram of a primary authentication process provided by an embodiment of the present application. As shown in FIG4 , the process mainly includes the following steps:
S1、UDM/ARPF构造5G HE AV:其中,UDM/ARPF从SUCI中解密得到SUPI,创建AV(RAND,AUTN,XRES,CK,IK)。然后,UDM/ARPF应基于AV推衍出KAUSF和XRES*,最后,UDM/ARPF应创建一个包含RAND、AUTN、XRES*和KAUSF的5G HE AV,主要涉及:S1. UDM/ARPF constructs 5G HE AV: UDM/ARPF decrypts SUPI from SUCI and creates AV (RAND, AUTN, XRES, CK, IK). Then, UDM/ARPF should derive KAUSF and XRES* based on AV. Finally, UDM/ARPF should create a 5G HE AV containing RAND, AUTN, XRES* and KAUSF , which mainly involves:
(1)基于128bit的K计算得到AV;(1) Calculate AV based on 128-bit K;
其中,UDM/ARPF根据SUPI查询对应的USIM的签约数据,若USIM是只支持128bit的旧卡,则基于USIM里的K,采用MILENAGE-128算法计算得到AV=(RAND,AUTN,XRES,CK,IK),参见图5,AUTN:=SQN⊕AK||AMF||MAC;AV:=RAND||XRES||CK||IK||AUTN,其中,涉及到序列号(Sequence Number,SQN),认证管理域(AuthenticationManagement Field,AMF)和消息鉴权码(Message Authentication Code,MAC)。Among them, UDM/ARPF queries the contract data of the corresponding USIM according to SUPI. If the USIM is an old card that only supports 128 bits, AV=(RAND, AUTN, XRES, CK, IK) is calculated based on K in the USIM using the MILENAGE-128 algorithm, see Figure 5, AUTN:=SQN⊕AK||AMF||MAC; AV:=RAND||XRES||CK||IK||AUTN, which involves the sequence number (Sequence Number, SQN), authentication management field (Authentication Management Field, AMF) and message authentication code (Message Authentication Code, MAC).
(2)对AUTN进行加密得到AUTN*;(2) Encrypt AUTN to obtain AUTN*;
其中,采用密钥K_KEM将AUTN进行加密得到AUTN*=E(K_KEM,AUTN)。需要说明的是,建议采用的对称加密算法E是量子安全的,比如采用AES-256,密钥长度为256bit,分组长度可为128bit,以兼容原协议。Among them, AUTN is encrypted with the key K_KEM to obtain AUTN*=E(K_KEM, AUTN). It should be noted that the recommended symmetric encryption algorithm E is quantum safe, such as AES-256, with a key length of 256 bits and a packet length of 128 bits to be compatible with the original protocol.
(3)计算CK_EXT和IK_EXT替代CK和IK;(3) Calculate CK_EXT and IK_EXT to replace CK and IK;
其中,计算CK_EXT=HASH(K_KEM||CK)取低128bit,IK_EXT=HASH(K_KEM||IK)取低128bit。Among them, CK_EXT=HASH(K_KEM||CK) is calculated and the lower 128 bits are taken, and IK_EXT=HASH(K_KEM||IK) is calculated and the lower 128 bits are taken.
(4)构造5G HE AV;(4) Constructing 5G HE AV;
其中,将CK_EXT和IK_EXT分别替代CK和IK,通过KDF单向函数推衍出KAUSF和XRES*,得到包含RAND、AUTN*、XRES*和KAUSF的5G HE AV。Among them, CK_EXT and IK_EXT are used to replace CK and IK respectively, and KAUSF and XRES* are derived through the KDF one-way function to obtain 5G HE AV including RAND, AUTN*, XRES* and KAUSF .
S2、UDM/ARPF将RAND和RAND发送至SEAF;S2, UDM/ARPF sends RAND and RAND to SEAF;
其中,UDM/ARPF将上述构造得到的5G HE AV发送给AUSF,UDM在Nudm_Authenticate_Get Request消息中向AUSF返回所请求的5G HE AV;其中,还指示了5G HEAV用于5G AKA,若Nudm_UEAuthentication_Get请求中包含SUCI,UDM将在Nudm_UEAuthentication_Get响应中包含SUPI。Among them, UDM/ARPF sends the above-constructed 5G HE AV to AUSF, and UDM returns the requested 5G HE AV to AUSF in the Nudm_Authenticate_Get Request message; wherein, it is also indicated that 5G HEAV is used for 5G AKA. If SUCI is included in the Nudm_UEAuthentication_Get request, UDM will include SUPI in the Nudm_UEAuthentication_Get response.
进一步的,AUSF临时保存XRES*及接收到的SUCI或SUPI。AUSF可保存KAUSF。Furthermore, the AUSF temporarily saves XRES* and the received SUCI or SUPI. The AUSF may save KAUSF.
进一步的,AUSF基于从UDM/ARPF接收到的5G HE AV生成一个5G AV。从XRES*计算出HXRES*,从KAUSF推衍出KSEAF,然后用HXRES*和KSEAF分别替换5G HE AV中XRES*和KAUSF,其中,KSEAF为安全锚点功能密钥。Furthermore, AUSF generates a 5G AV based on the 5G HE AV received from UDM/ARPF, calculates HXRES* from XRES*, derives KSEAF from KAUSF , and then replaces XRES* and KAUSF in the 5G HE AV with HXRES* and KSEAF , respectively, where KSEAF is the security anchor function key.
进一步的,AUSF移除KSEAF,通过Nausf_UEAuthentication_Authenticate响应把5GSE AV(RAND,AUTN*,HXRES*)发送至SEAF。Furthermore, AUSF removes KSEAF and sends 5GSE AV (RAND, AUTN*, HXRES*) to SEAF via Nausf_UEAuthentication_Authenticate response.
S3、SEAF通过Authentication Request消息向ME发送RAND和AUTN*;其中,该消息还应包含被UE和接入移动管理功能(Access and Mobility Management Function,AMF)用于标识KAMF和部分原生安全上下文的ngKSI,该消息还应包括ABBA参数。S3. SEAF sends RAND and AUTN* to ME through the Authentication Request message; the message should also include ngKSI used by UE and Access and Mobility Management Function (AMF) to identifyKAMF and part of the native security context, and the message should also include ABBA parameters.
S4、ME采用K_KEM解密AUTN*得到AUTN;S4. ME uses K_KEM to decrypt AUTN* to obtain AUTN;
S5、ME向USIM转发RAND和AUTN;S5. ME forwards RAND and AUTN to USIM.
S6、USIM收到RAND和AUTN后,执行以下步骤:S6. After receiving RAND and AUTN, USIM performs the following steps:
(1)验证AUTN,具体的,验证AUTN是否被接受,以此来验证认证向量是否为最新,参见图6,验证MAC=XMAC,验证SQN是否在正确范围;若验证通过,执行步骤(2);(1) Verify AUTN. Specifically, verify whether AUTN is accepted, so as to verify whether the authentication vector is the latest. See FIG. 6 , verify MAC=XMAC, and verify whether SQN is in the correct range. If the verification is successful, execute step (2).
(2)计算响应RES、CK、IK。(2) Calculate the responses RES, CK, and IK.
S7、USIM向ME发送RES、CK和IK。S7. USIM sends RES, CK and IK to ME.
S8、ME执行以下步骤:S8. ME performs the following steps:
(1)ME计算CK_EXT和IK_EXT替代CK和IK;(1) ME calculates CK_EXT and IK_EXT to replace CK and IK;
其中,CK_EXT=HASH(K_KEM||CK)取低128bit;Among them, CK_EXT=HASH(K_KEM||CK) takes the lower 128 bits;
IK_EXT=HASH(K_KEM||IK)取低128bit。IK_EXT=HASH(K_KEM||IK) takes the lower 128 bits.
(2)计算RES*等参数;(2) Calculate RES* and other parameters;
ME将CK_EXT和IK_EXT分别替代CK和IK,通过相应的推衍函数从RES计算RES*,RES*为认证结果,从CK_EXT||IK_EXT推衍出KAUSF,从KAUSF推衍出KSEAF。ME replaces CK and IK with CK_EXT and IK_EXT respectively, calculates RES* from RES through the corresponding derivation function, RES* is the authentication result, derives KAUSF from CK_EXT||IK_EXT, and derives KSEAF from KAUSF .
S9、ME在NAS消息认证响应中将RES*返回给SEAF。S9. ME returns RES* to SEAF in the NAS message authentication response.
进一步的,SEAF应从RES*计算哈希认证结果HRES*,并比较HRES*和哈希期望认证结果HXRES*。若两值一致,SEAF应从服务网的角度认为认证成功。若不一致,SEAF应认为认证失败,并向AUSF指示失败。Furthermore, SEAF shall calculate the hash authentication result HRES* from RES* and compare HRES* with the hash expected authentication result HXRES*. If the two values are consistent, SEAF shall consider the authentication successful from the perspective of the service network. If they are inconsistent, SEAF shall consider the authentication failed and indicate the failure to AUSF.
SEAF应将SUCI或SUPI通过Nausf_UEAuthentication_Authenticate Request消息发送给AUSF。The SEAF shall send the SUCI or SUPI to the AUSF via the Nausf_UEAuthentication_Authenticate Request message.
当接收到包含RES*的Nausf_UEAuthentication_Authenticate Request消息时,AUSF可验证AV是否已到期。若AV已过期,AUSF可从归属网络的角度认为认证不成功。AUSF应将接收到的RES*与存储的XRES*进行比较。若RES*和XRES*一致,AUSF应从归属网络的角度认为认证成功。When receiving a Nausf_UEAuthentication_Authenticate Request message containing a RES*, the AUSF may verify whether the AV has expired. If the AV has expired, the AUSF may consider the authentication unsuccessful from the perspective of the home network. The AUSF shall compare the received RES* with the stored XRES*. If the RES* and XRES* match, the AUSF shall consider the authentication successful from the perspective of the home network.
AUSF应通过在Nausf_UEAuthentication_Authenticate Response向SEAF指示认证是否成功。若认证成功,则应通过Nausf_UEAuthentication_Authenticate Response将KSEAF发送至SEAF。若AUSF在启动认证时从SEAF接收到SUCI且认证成功,AUSF还应在Nausf_UEAuthentication_Authenticate Response中包含SUPI。The AUSF shall indicate to SEAF whether the authentication was successful via Nausf_UEAuthentication_Authenticate Response. If the authentication was successful, KSEAF shall be sent to SEAF via Nausf_UEAuthentication_Authenticate Response. If the AUSF received SUCI from SEAF when starting authentication and the authentication was successful, the AUSF shall also include SUPI in Nausf_UEAuthentication_Authenticate Response.
若认证成功,SEAF应把从Nausf_UEAuthentication_Authenticate Response消息中接收到KSEAF作为锚密钥。然后SEAF应从KSEAF、ABBA参数和SUPI推衍出KAMF,并向AMF提供ngKSI和KAMF。If authentication is successful, SEAF shall use KSEAF received from Nausf_UEAuthentication_Authenticate Response message as anchor key. SEAF shall then derive KAMF from KSEAF , ABBA parameters and SUPI, and provide ngKSI and KAMF to AMF.
如果SUCI用于此认证,SEAF应仅在接收到包含SUPI的Nausf_UEAuthentication_Authenticate Response消息后才向AMF提供ngKSI和KAMF;在服务网获知SUPI之前,不会向UE提供通信服务。If SUCI is used for this authentication, the SEAF shall provide the ngKSI andKAMF to the AMF only after receiving the Nausf_UEAuthentication_Authenticate Response message containing the SUPI; no communication service shall be provided to the UE until the serving network knows the SUPI.
图7为本申请实施例提供的一种认证同步故障恢复的流程示意图。如图7所示,主要包括以下步骤:FIG7 is a schematic diagram of a process flow of authentication synchronization failure recovery provided by an embodiment of the present application. As shown in FIG7 , the process mainly includes the following steps:
S1、当USIM验证AUTN产生SQN(序列号,Sequence number)不同步问题,则生成AUTS。S1. When the USIM verifies AUTN and generates an SQN (sequence number) asynchronization problem, AUTS is generated.
S2、USIM将AUTS返回给ME。S2. USIM returns AUTS to ME.
S3、ME将采用K_KEM将AUTS进行加密得到AUTS*。S3 and ME will use K_KEM to encrypt AUTS to obtain AUTS*.
S4、ME将AUTS*发送给SEAF。S4. ME sends AUTS* to SEAF.
S5、SEAF将RAND,AUTS*发送给UDM/ARPF。S5. SEAF sends RAND, AUTS* to UDM/ARPF.
S6、UDM/ARPF执行以下步骤:S6. UDM/ARPF performs the following steps:
(1)对AUTS*解密得到AUTS;(1) Decrypt AUTS* to obtain AUTS;
(2)验证AUTS合法性,并同步SQN参数。(2) Verify the legitimacy of AUTS and synchronize SQN parameters.
基于上述内容可知,本申请实施例提供的技术方案具体以下优势:第一,可以提升新ME+旧USIM场景下的AKA协议的安全性,降低旧USIM中K被破解的风险;第二,生成的CK_EXT||IK_EXT是256bit足熵的密钥,可以提供256bit的安全能力;第三,相比原AKA鉴权协议,仅需要修改ME和目标网元(UDM/ARPF),无需修改其他网元和相关接口,改动成本较低,与原协议兼容性较高。Based on the above content, it can be seen that the technical solution provided in the embodiment of the present application has the following specific advantages: First, it can improve the security of the AKA protocol in the new ME + old USIM scenario and reduce the risk of K in the old USIM being cracked; Second, the generated CK_EXT||IK_EXT is a 256-bit sufficient entropy key, which can provide 256-bit security capabilities; Third, compared with the original AKA authentication protocol, only the ME and the target network element (UDM/ARPF) need to be modified, and there is no need to modify other network elements and related interfaces. The modification cost is low and the compatibility with the original protocol is high.
本申请实施例提供了一种ME。图8为本申请实施例提供的一种ME的结构示意图一。如图8所示,ME包括:The embodiment of the present application provides an ME. FIG8 is a structural schematic diagram 1 of an ME provided in the embodiment of the present application. As shown in FIG8 , the ME includes:
第一处理模块801,用于在所述USIM支持128位通信鉴权算法的情况下,利用基于后量子密码算法的密钥封装机制PQC_KEM加密所述USIM的用户永久标识符SUPI,生成用户隐藏标识符SUCI,并保存所述PQC_KEM计算中生成的对称加密密钥;The first processing module 801 is configured to, when the USIM supports a 128-bit communication authentication algorithm, encrypt the user permanent identifier SUPI of the USIM by using a key encapsulation mechanism PQC_KEM based on a post-quantum cryptographic algorithm to generate a user hidden identifier SUCI, and save the symmetric encryption key generated in the PQC_KEM calculation;
第一通信模块802,用于将所述SUCI通过相关网元转发至归属网络中的目标网元,以供所述目标网元基于所述SUCI得到所述对称加密密钥,利用所述对称加密密钥对第一鉴权令牌处理后通过相关网元转发至所述ME。The first communication module 802 is used to forward the SUCI to a target network element in the home network through a related network element, so that the target network element obtains the symmetric encryption key based on the SUCI, and processes the first authentication token using the symmetric encryption key and then forwards it to the ME through a related network element.
在本申请一实施例中,所述第一通信模块802,用于在初始化注册请求时,将所述SUCI通过相关网元转发至所述目标网元。In an embodiment of the present application, the first communication module 802 is configured to forward the SUCI to the target network element through a related network element when initializing a registration request.
在本申请一实施例中,所述第一通信模块802,还用于接收所述目标网元生成的随机数和第二鉴权令牌;In an embodiment of the present application, the first communication module 802 is further configured to receive a random number and a second authentication token generated by the target network element;
所述第一处理模块801,还用于利用所述对称加密密钥和所述第二鉴权令牌得到所述第一鉴权令牌;其中,所述第二鉴权令牌由所述第一鉴权令牌经所述对称加密密钥处理生成;The first processing module 801 is further used to obtain the first authentication token using the symmetric encryption key and the second authentication token; wherein the second authentication token is generated by processing the first authentication token with the symmetric encryption key;
所述第一通信模块802,还用于将所述随机数和所述第一鉴权令牌发送至所述USIM,以供所述USIM基于所述第一鉴权令牌进行同步认证,以在同步认证通过后基于所述随机数和所述第一鉴权令牌生成第一加密密钥和第一完整性密钥。The first communication module 802 is also used to send the random number and the first authentication token to the USIM, so that the USIM can perform synchronous authentication based on the first authentication token, and generate a first encryption key and a first integrity key based on the random number and the first authentication token after the synchronous authentication is passed.
在本申请一实施例中,所述第一通信模块802,还用于在所述USIM同步认证通过的情况下,接收所述USIM发送的所述第一加密密钥和所述第一完整性密钥;In an embodiment of the present application, the first communication module 802 is further configured to receive the first encryption key and the first integrity key sent by the USIM when the USIM synchronization authentication passes;
所述第一处理模块801,还用于利用所述对称加密密钥,基于所述第一加密密钥构造第二加密密钥,基于所述第一完整性密钥构造第二完整性密钥;The first processing module 801 is further configured to use the symmetric encryption key to construct a second encryption key based on the first encryption key, and to construct a second integrity key based on the first integrity key;
其中,所述第二加密密钥和所述第二完整性密钥用于密钥推衍。The second encryption key and the second integrity key are used for key derivation.
在本申请一实施例中,所述第一通信模块802,还用于在所述USIM同步认证不通过的情况下,接收所述USIM发送的第一重同步认证令牌;In an embodiment of the present application, the first communication module 802 is further configured to receive a first resynchronization authentication token sent by the USIM when the USIM synchronization authentication fails;
所述第一处理模块801,还用于利用所述对称加密密钥对所述第一重同步认证令牌进行处理,生成第二重同步认证令牌;The first processing module 801 is further configured to process the first resynchronization authentication token using the symmetric encryption key to generate a second resynchronization authentication token;
所述第一通信模块802,还用于将所述第二重同步认证令牌通过相关网元转发至所述目标网元。The first communication module 802 is further configured to forward the second resynchronization authentication token to the target network element through a related network element.
图9为本申请实施例提供的一种ME的结构示意图二。如图9所示,ME包括:第一处理器901、第一存储器902和第一通信总线903;Fig. 9 is a second structural diagram of an ME provided in an embodiment of the present application. As shown in Fig. 9, the ME includes: a first processor 901, a first memory 902 and a first communication bus 903;
所述第一通信总线903,用于实现所述第一处理器901和所述第一存储器902之间的通信连接;The first communication bus 903 is used to implement a communication connection between the first processor 901 and the first memory 902;
所述第一处理器901,用于执行所述第一存储器902存储的一个或者多个计算机程序,以实现应用于ME的通信鉴权方法。The first processor 901 is used to execute one or more computer programs stored in the first memory 902 to implement a communication authentication method applied to the ME.
本申请实施例提供了一种目标网元。图10为本申请实施例提供的一种目标网元的结构示意图一。如图10所示,目标网元包括:The embodiment of the present application provides a target network element. FIG10 is a structural schematic diagram 1 of a target network element provided by the embodiment of the present application. As shown in FIG10 , the target network element includes:
第二通信模块1001,用于接收用户设备UE中移动设备ME生成的用户隐藏标识符SUCI;所述UE还包括通用用户身份模块USIM,所述USIM支持128位通信鉴权算法,所述SUCI由所述USIM的用户永久标识符SUPI经基于后量子密码算法的密钥封装机制PQC_KEM加密生成;The second communication module 1001 is used to receive a hidden user identifier SUCI generated by a mobile device ME in a user equipment UE; the UE further includes a universal user identity module USIM, the USIM supports a 128-bit communication authentication algorithm, and the SUCI is generated by encrypting a user permanent identifier SUPI of the USIM through a key encapsulation mechanism PQC_KEM based on a post-quantum cryptography algorithm;
第二处理模块1002,用于利用所述PQC_KEM对所述SUCI进行解密,保存所述PQC_KEM计算中生成的对称加密密钥;利用所述对称加密密钥对第一鉴权令牌处理后由所述第二通信模块1001通过相关网元转发至所述ME。The second processing module 1002 is used to decrypt the SUCI using the PQC_KEM and save the symmetric encryption key generated in the PQC_KEM calculation; the first authentication token is processed using the symmetric encryption key and then forwarded to the ME by the second communication module 1001 through the relevant network element.
在本申请一实施例中,所述第二处理模块10012,用于基于所述USIM的128位根鉴权密钥生成第一向量,所述第一向量包含随机数、期望鉴权响应、所述第一鉴权令牌、第一加密密钥和第一完整性密钥;利用所述对称加密密钥对所述第一鉴权令牌处理,生成第二鉴权令牌;利用所述对称加密密钥,基于所述第一加密密钥构造第二加密密钥,基于所述第一完整性密钥构造第二完整性密钥;所述第二加密密钥和所述第二完整性密钥用于密钥推衍;基于所述随机数、所述期望鉴权响应、所述第二鉴权令牌、所述第二加密密钥和所述第二完整性密钥构造鉴权向量;其中,所述鉴权向量包含所述随机数和所述第二鉴权令牌;In an embodiment of the present application, the second processing module 10012 is used to generate a first vector based on the 128-bit root authentication key of the USIM, the first vector including a random number, an expected authentication response, the first authentication token, a first encryption key and a first integrity key; use the symmetric encryption key to process the first authentication token to generate a second authentication token; use the symmetric encryption key to construct a second encryption key based on the first encryption key, and construct a second integrity key based on the first integrity key; the second encryption key and the second integrity key are used for key derivation; construct an authentication vector based on the random number, the expected authentication response, the second authentication token, the second encryption key and the second integrity key; wherein the authentication vector includes the random number and the second authentication token;
所述第二通信模块1001,用于将所述鉴权向量通过相关网元转发,使所述鉴权向量中的所述第二鉴权令牌伴随所述随机数发送至所述ME。The second communication module 1001 is used to forward the authentication vector through a related network element, so that the second authentication token in the authentication vector is sent to the ME along with the random number.
在本申请一实施例中,所述第二处理模块1002,还用于在所述第二通信模块1001接收到所述ME生成的第二重同步认证令牌的情况下,利用所述对称加密密钥和所述第二重同步认证令牌得到第一重同步认证令牌;其中,所述第二重同步认证令牌为所述第一重同步认证令牌经所述对称加密密钥处理生成;验证所述第一重同步认证令牌的合法性,并同步序列号。In one embodiment of the present application, the second processing module 1002 is also used to obtain a first resynchronization authentication token using the symmetric encryption key and the second resynchronization authentication token when the second communication module 1001 receives the second resynchronization authentication token generated by the ME; wherein the second resynchronization authentication token is generated by processing the first resynchronization authentication token with the symmetric encryption key; verify the legitimacy of the first resynchronization authentication token, and synchronize the serial number.
图11为本申请实施例提供的一种目标网元的结构示意图二。如图11所示,目标网元包括:第二处理器1101、第二存储器1102和第二通信总线1103;Fig. 11 is a second schematic diagram of a structure of a target network element provided in an embodiment of the present application. As shown in Fig. 11, the target network element includes: a second processor 1101, a second memory 1102, and a second communication bus 1103;
所述第二通信总线1103,用于实现所述第二处理器1101和所述第二存储器1102之间的通信连接;The second communication bus 1103 is used to implement a communication connection between the second processor 1101 and the second memory 1102;
所述第二处理器1101,用于执行所述第二存储器1102存储的一个或者多个计算机程序,以实现应用于目标网元的通信鉴权方法。The second processor 1101 is used to execute one or more computer programs stored in the second memory 1102 to implement a communication authentication method applied to a target network element.
本申请实施例提供了一种计算机程序产品,包括计算机程序,其特征在于,所述计算机程序在被处理器执行时实现上述通信鉴权方法中的步骤。An embodiment of the present application provides a computer program product, including a computer program, characterized in that the computer program implements the steps in the above-mentioned communication authentication method when executed by a processor.
本申请实施例提供了一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现上述通信鉴权方法中的步骤。计算机可读存储介质可以是易失性存储器(volatile memory),例如随机存取存储器(Random-Access Memory,RAM);或者非易失性存储器(non-volatile memory),例如只读存储器(Read-Only Memory,ROM),快闪存储器(flash memory),硬盘(Hard Disk Drive,HDD)或固态硬盘(Solid-State Drive,SSD);也可以是包括上述存储器之一或任意组合的各自设备,如移动电话、计算机、平板设备、个人数字助理等。The embodiment of the present application provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps in the above-mentioned communication authentication method are implemented. The computer-readable storage medium can be a volatile memory (volatile memory), such as a random access memory (Random-Access Memory, RAM); or a non-volatile memory (non-volatile memory), such as a read-only memory (Read-Only Memory, ROM), a flash memory (flash memory), a hard disk (Hard Disk Drive, HDD) or a solid-state drive (Solid-State Drive, SSD); or it can be a respective device including one or any combination of the above-mentioned memories, such as a mobile phone, a computer, a tablet device, a personal digital assistant, etc.
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that the embodiments of the present application may be provided as methods, systems, or computer program products. Therefore, the present application may adopt the form of hardware embodiments, software embodiments, or embodiments in combination with software and hardware. Moreover, the present application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) that contain computer-usable program code.
本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的实现流程示意图和/或方框图来描述的。应理解可由计算机程序指令实现流程示意图和/或方框图中的每一流程和/或方框、以及实现流程示意图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在实现流程示意图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to the implementation flow diagram and/or block diagram of the method, device (system) and computer program product according to the embodiment of the present application. It should be understood that each flow and/or box in the flow diagram and/or block diagram can be implemented by computer program instructions, and the combination of the flow diagram and/or box in the block diagram can be implemented. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for implementing the function specified in one flow or multiple flows and/or one box or multiple boxes of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在实现流程示意图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to operate in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in implementing one or more processes in the flowchart and/or one or more boxes in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在实现流程示意图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本实用申请揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above is only a specific implementation of the present application, but the protection scope of the present application is not limited thereto. Any changes or substitutions that can be easily thought of by any technician familiar with the technical field within the technical scope disclosed in the utility application should be included in the protection scope of the present application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410534242.2ACN118802307A (en) | 2024-04-29 | 2024-04-29 | Communication authentication method and related device, storage medium, and computer program product |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410534242.2ACN118802307A (en) | 2024-04-29 | 2024-04-29 | Communication authentication method and related device, storage medium, and computer program product |
| Publication Number | Publication Date |
|---|---|
| CN118802307Atrue CN118802307A (en) | 2024-10-18 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410534242.2APendingCN118802307A (en) | 2024-04-29 | 2024-04-29 | Communication authentication method and related device, storage medium, and computer program product |
| Country | Link |
|---|---|
| CN (1) | CN118802307A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101132649A (en)* | 2007-09-29 | 2008-02-27 | 大唐微电子技术有限公司 | Network access authentication method and its USIM card |
| WO2020024764A1 (en)* | 2018-08-03 | 2020-02-06 | 华为技术有限公司 | Method and apparatus for verifying user equipment identifier in authentication process |
| EP3684088A1 (en)* | 2019-01-18 | 2020-07-22 | Thales Dis France SA | A method for authentication a secure element cooperating with a mobile equipment within a terminal in a telecommunication network |
| CN111641498A (en)* | 2019-03-01 | 2020-09-08 | 中兴通讯股份有限公司 | Method and device for determining key |
| CN111770496A (en)* | 2020-06-30 | 2020-10-13 | 中国联合网络通信集团有限公司 | A 5G-AKA authentication method, unified data management network element and user equipment |
| CN115038078A (en)* | 2017-07-25 | 2022-09-09 | 瑞典爱立信有限公司 | Authentication server, UE and method and medium thereof for obtaining SUPI |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101132649A (en)* | 2007-09-29 | 2008-02-27 | 大唐微电子技术有限公司 | Network access authentication method and its USIM card |
| CN115038078A (en)* | 2017-07-25 | 2022-09-09 | 瑞典爱立信有限公司 | Authentication server, UE and method and medium thereof for obtaining SUPI |
| WO2020024764A1 (en)* | 2018-08-03 | 2020-02-06 | 华为技术有限公司 | Method and apparatus for verifying user equipment identifier in authentication process |
| EP3684088A1 (en)* | 2019-01-18 | 2020-07-22 | Thales Dis France SA | A method for authentication a secure element cooperating with a mobile equipment within a terminal in a telecommunication network |
| CN111641498A (en)* | 2019-03-01 | 2020-09-08 | 中兴通讯股份有限公司 | Method and device for determining key |
| CN111770496A (en)* | 2020-06-30 | 2020-10-13 | 中国联合网络通信集团有限公司 | A 5G-AKA authentication method, unified data management network element and user equipment |
| Title |
|---|
| PAULIAC MIREILLE: "USIM in 5G Era", 《 JOURNAL OF ICT STANDARDIZATION》, 1 January 2020 (2020-01-01)* |
| 谢桢: "5G网络认证与密钥协商协议安全增强研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》, 15 February 2023 (2023-02-15)* |
| Publication | Publication Date | Title |
|---|---|---|
| CN108599925B (en) | Improved AKA identity authentication system and method based on quantum communication network | |
| US11533297B2 (en) | Secure communication channel with token renewal mechanism | |
| CN108886468B (en) | System and method for distributing identity-based key material and certificates | |
| US20200195446A1 (en) | System and method for ensuring forward & backward secrecy using physically unclonable functions | |
| CN108599926B (en) | HTTP-Digest improved AKA identity authentication system and method based on symmetric key pool | |
| CN106941404B (en) | Key protection method and device | |
| CN111835691A (en) | Authentication information processing method, terminal and network device | |
| CN118540163B (en) | Anti-quantum security enhancement method for national secret SSL VPN protocol | |
| CN114386020B (en) | Quantum-safe fast secondary identity authentication method and system | |
| CN116074839B (en) | Authentication method for accessing quantum security terminal into quantum security network | |
| JP2023534755A (en) | Pre-shared key PSK update method and apparatus | |
| KR102539418B1 (en) | Apparatus and method for mutual authentication based on physical unclonable function | |
| CN118659881B (en) | Quantum-resistant security enhancement method for secure shell protocol | |
| CN116248290A (en) | Identity authentication method and device and electronic equipment | |
| CN119766433A (en) | Encryption communication method, device and system supporting post quantum algorithm | |
| CN118555133A (en) | A method to enhance the quantum security of transport layer security protocol | |
| CN115865520B (en) | Authentication and access control method with privacy protection in mobile cloud service environment | |
| CN114285557B (en) | Communication decryption method, system and device | |
| CN118802307A (en) | Communication authentication method and related device, storage medium, and computer program product | |
| WO2010094185A1 (en) | Secure handoff method and system | |
| CN118659923B (en) | A quantum-resistant security enhancement method for the Simple Authentication and Security Layer protocol | |
| CN118694529B (en) | Quantum-resistant security enhancement method for secure channel protocol of password equipment | |
| CA3210990C (en) | End to end encryption with roaming capabilities | |
| CN119834967B (en) | A data protection method integrating quantum keys into TLS | |
| CN118828501A (en) | Authentication method and device, communication equipment, storage medium, and program product |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |